Académique Documents
Professionnel Documents
Culture Documents
www.infotech.monash.edu
www.infotech.monash.edu
2
References / Reading
www.infotech.monash.edu
5
Utility Computing
Utility computing or on-demand computing
would require the dynamic entity
management features of WSRF
Current system infrastructure is static,
heterogeneous, and relatively coarse
grained
It is also often tailored for the in-house
requirements of the owning department
Move to utility computing would mean use
of infrastructure on per-use-pay basis.
Compute grids are therefore similar to power grids
and phone networks
www.infotech.monash.edu
8
Core OGSI
Policies
CLI, GUI, Portal, CoG
Integration
Application API
Grid Developments
GT 2.x supported GRAM, GridFTP, and MDS.
These services were not integrated
Used their own protocols
Grid and WS
XML and SOAP provide the generic and
flexible communication fabric which is easy
to implement
The SOA can provide the Grid service layer
functionality
Web Services Definition Language (WSDL)
provides standardisation of interfaces
Enabling dynamic discovery of services
www.infotech.monash.edu
12
WS-Resource Framework
Globus and IBM proposed WSRF as a new
set of standards
WSRF proposes a standard way of
associating resources within Web services
Extra abstraction added to Web services for
supporting
Virtualisation
On-demand computing
www.infotech.monash.edu
14
WS-Resource Characteristics
WS-Resources are dynamic
Created and destroyed on demand
WS-Resource Addressing
No explicit address, WS-Resources can
only be reached through their associated
services
These are identified by
End point reference i.e. address of the
WS
Followed by the relative identifier of the
particular resource
www.infotech.monash.edu
17
www.infotech.monash.edu
19
www.infotech.monash.edu
22
1.
2.
3.
www.infotech.monash.edu
24
www.infotech.monash.edu
25
www.infotech.monash.edu
26
www.infotech.monash.edu
27
Virtual Organisation
The technological challenge of presenting
scattered heterogenous IT resources
seamlessly through uniform gateway
services is solved by WSRF
Management functions are still required
for who gets access and to how much of
the resource.
Membership to various categories
Access privileges
www.infotech.monash.edu
28
PUBLIC KEY
INFRASTRUCTURE
AND GRID SECURITY
www.infotech.monash.edu
29
References/Reading
Handbook of Applied Cryptography, by A. Menezes, P.
van Oorschot, and S. Vanstone, 1996
http://www-unix.globus.org/toolkit/docs/3.2/security.html
http://myproxy.ncsa.uiuc.edu
http://shibboleth.internet2.edu/
http://www.csse.monash.edu.au/~carlo/SYSTEMS/CryptoPart-1-0798.htm
http://www.csse.monash.edu.au/~carlo/SYSTEMS/CryptoPart-2-0898.htm
www.infotech.monash.edu
30
Grid Security
Overview
GSI is a set of libraries and tools developed
by Globus; It is an overlay on the transportlayer security protocol - SSL
Uses the public key infrastructure (PKI) to
achieve
Authentication
Data Integrity Verification
Single Sign-on
Inter-organisation decentralised security
system
All Grid entities (users and processes) must
have a public key certificate
www.infotech.monash.edu
32
PKI
Under a Public Key Infrastructure, each grid
user has a key pair
Key Pair = (public key + private key)
PKI Certificates
PKI - Illustrated
Public Key
Data
Encrypt
Private Key
Data
Encrypt
Scenario 1
Data Transfer
Scenario 2
Data Transfer
Private Key
Decrypt
Data
Public Key
Decrypt
Data
PKI Scenarios
Scenario 1 - all users wishing to
communicate with Bob encrypt data using
his public key, only Bob can decrypt the
data using his private key privacy
Scenario 2 Bob wishes to communicate
with all users, encrypts data using his
private key, users subsequently use Bobs
public key for decryption - authentication
www.infotech.monash.edu
36
PKI in Detail
A Certification Authority (CA) signs user-generated
certificates
Bob generates a public, private key pair, and a
public key certificate using a tool like Gnu Privacy
Guard (GPG)
Bob approaches a CA to have his certificate signed
Bob publishes his public key globally
Alice wishes to communicate securely with Bob uses Bobs public key to encrypt her message
Bob receives and decrypts the message using his
private key
Note: The CA which signed Bobs certificate must also be present in Alices
list of trusted CAs to allow Alice to verify the validity of Bobs certificate
www.infotech.monash.edu
37
Digital Signatures
Digital Signatures allow verification of data
integrity as well as the data origin
A hash function (H) is defined as a function
which takes an arbitrary length message as
input, and generates a fixed size output,
called the hash of the message
A hash function is generally a one-way
function i.e. a message cannot be retrieved
back from its hash value
Message Digest-5 (MD5) and Secure Hash
Algorithm (SHA) are two examples of hash
functions
www.infotech.monash.edu
38
Digital Signatures
A Digital Signature is defined as follows:
For a message m originating from Bobs
machine, with Bobs public key being
Bobpub ,the digital signature of m is given by:
Signature = Encrypt(Hash(m)) with Bobprivate
This signature is appended to message m when
Bob transfers it to a recipient.
A Digital signature and a digital certificate are
two entirely different things.
www.infotech.monash.edu
39
Digital Signatures
The recipient verifies the message origin as
well as the message integrity by recalculating
the hash of the received message, and
comparing it with the received hash value
If the message is tampered with enroute to the
destination, the computed hash will be different
from the received value
If the two values are the same, the message
integrity is verified, and the message is defined
as being intact
www.infotech.monash.edu
40
Mutual Authentication
Alice and Bob are two grid users with
certificates, and trust a common CA
Mutual authentication implies that Alice
and Bob prove to each other their
respective identities
Prerequisite for this process is for Alice
and Bob to have a signed copy of the CAs
certificate
www.infotech.monash.edu
41
Mutual Authentication
Trusted CA
Bobs Certificate
Bob
Random Number 1
Alice
E{Random Number}Bobpriv
Alices Certificate
Random Number 2
E{Random Number}Alicepriv
Bobpriv = Bobs Private Key
E{ } = Encryption Function
www.infotech.monash.edu
42
Mutual Authentication
Alice authenticating Bob:
Alice requests for Bobs certificate
Alice checks validity of certificate by checking the
CAs signature
Alice needs to make sure Bob is who he is
claiming to be
Alice sends a random number to Bob
Bob encrypts it using his private key and sends it
to Alice
Alice decrypts the message using Bobs public
key
If the result is the same as the random number,
Bob has successfully proven his identity to Alice
The above steps are repeated in the opposite
www.infotech.monash.edu
direction for Bob to verify Alices identity
43
Proxy Certificates
Proxy Certificates
GSI Delegation
GSI enables users to delegate their proxy
credentials to processes running on remote
resources
The remote processes and resources can
thus act on a users behalf
Used for complex applications such as:
batch jobs that need access to Grid data
storage using a particular users
credentials
www.infotech.monash.edu
46
MyProxy
MyProxy is a credential management service for
Grid users
It can also perform the functions of a CA if need be
A traveling Grid user can delegate a proxy to the
MyProxy server before leaving home, as well as
access to his long-term credential
Could then delegate short-term (12-hrs) certificates
from MyProxy to other hosts to enable initiation of
Globus jobs.
www.infotech.monash.edu
47
MyProxy
MyProxy repository can help users
manage their credentials by:
Securely storing the long-term private
keys of users
Obtaining credentials from remote
processes/users when needed
Using the credentials to act on a users
behalf
www.infotech.monash.edu
48
MyProxy Illustrated
Store proxy
MyProxy client
[User/Process]
Retrieve proxy
MyProxy
server
Credential
repository
MyProxy Scenarios
CA different from MyProxy Server
MyProxy Scenarios
GSI Authorisation
www.infotech.monash.edu
52
GSI Authorisation
www.infotech.monash.edu
53
GSI Authorisation
New users and resources are enrolled based on
policies defined in the CAS server
The CAS server also performs fine-grained
access control to Grid resources.
When a user wants to access resources served
by the CAS, that user makes a request to the
CAS server.
If the CAS server's database indicates that the
user has the appropriate privileges, the CAS
issues the user a GSI proxy credential with an
embedded policy giving the user the right to
perform the requested actions.
www.infotech.monash.edu
54
GSI Authorisation
The user then uses the credentials from the CAS
to connect to the resource.
The resource then applies its local policy to
determine the amount of access granted to the
community, and further restricts that access
based on the policy in the CAS credentials.
As a result the user's privileges are limited to the
intersection of those granted by the CAS to the
user and those granted by the resource provider
to the community.
www.infotech.monash.edu
55
www.infotech.monash.edu
56
Shibboleth
A Shibboleth Identity Provider is composed
of single sign-on (SSO) and attribute
authority (AA) services
SSO: authenticates users locally and
issues authentication assertions with a
Handle
An assertion is a short-lived bearer assertion
Handle is also short-lived and non-identifying
Handle is registered with AA
Shibboleth
A service Provider is composed of an
Assertion Consumer and an Attribute
Requestor
Assertion Consumer parses authentication
assertions
Attribute Requestor: request attributes
from AA
Attributes used for authorization
Please tell me
where are you from?
I dont know you.
Not even which home
org you are from.
I redirect your request
to the WAYF
WAYF
2
4 3
5
6
Identity Provider
Service Provider
Web Site
7
Credentials
HS
AA
Attributes
Handle
AR
10
Resource
ACS
Handle
User DB
Resource
Manager
Handle
Attributes